CVE-2026-21404
Hard-Coded Credentials in NAVTOR NavBox
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| navtor | navbox | to 4.16.1.20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in NAVTOR NavBox versions up to 4.16.1.20, where hard-coded credentials are embedded within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract these credentials. Using the extracted credentials, the attacker can bypass the intended transfer workflow by authenticating against the SOAP interface.
Once authenticated, the attacker gains access to privileged WCF methods, which allows them to write or overwrite files within paths defined by the application.
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to bypass security controls by extracting hard-coded credentials and gaining privileged access to the SOAP interface.
With this access, the attacker can write or overwrite files in application-defined locations, potentially leading to unauthorized modification of data or application behavior.